Successfully reported this slideshow.
Your SlideShare is downloading. ×

Slides for the PBI Real Estate Institute on Security Client Data

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 59 Ad

Slides for the PBI Real Estate Institute on Security Client Data

Download to read offline

My presentation in Philadelphia on the issue of the ethical obligations of law firms to secure client data. I explore some of the ethics rules, and technological solutions.

My presentation in Philadelphia on the issue of the ethical obligations of law firms to secure client data. I explore some of the ethics rules, and technological solutions.

Advertisement
Advertisement

More Related Content

Advertisement

Slides for the PBI Real Estate Institute on Security Client Data

  1. 1. Keep Your Client’s Data Safe or Pay the Price JENNIFER ELLIS JENNIFER ELLIS, JD, LLC JENNIFER@JLELLIS.NET COPYRIGHT JENNIFER ELLIS, 2017. ALL RIGHTS RESERVED
  2. 2. What is a Data Breach?  Hacker breaks into firm’s computer system  Stolen or lost phone, tablet or laptop  Someone breaks into office(s)  Someone hacks home WiFi  Lost or stolen USB key with firm data  Lost or stolen hard files  Client information discarded without shredding  Someone breaks into firm email  Employee unauthorized to do so reviews a client file  Return copier with scanned data intact
  3. 3. All and More  A data breach is any time any sensitive, protected or confidential client data is accessed by an unauthorized individual  Whether hard files or electronic data
  4. 4. How Many Data Breaches in 2016?  1,093 data breaches for U.S. companies and government agencies  40% increase from 2015  Most data breaches never discovered  Most data breaches never reported  At least half involved Social Security numbers  4 breaches exposed 120 million Social Security numbers  Health care is a common target  Responsible for half of breach notifications affecting 500 or more individuals  Averaged one health data breach per day  More than 27 million patient records
  5. 5. Credit Agencies  Equifax – mid May through July 2017  143 Million U.S. consumers  If you have a credit report, you were probably affected  Names, Social Security numbers, birth dates, addresses, drivers’ license information.  Credit card numbers from 209,000  Dispute documents from 182,000  Equifax – May 2016  W2Express website  Downloadable W-2 forms for Kroger employees  Tax data and salary details
  6. 6. Credit Agencies  Equifax, Experian & Transunion – March 2013  Focused on celebrities and high profile figures  Michelle Obama, Paris Hilton, Hillary Clinton, Robert Mueller  Credit reports  Used publicly available information to bypass security questions  Experian – September 2013 through September 2015  Million U.S. consumers  Applied for financing from T-Mobile  Names, birth dates, addresses, Social Security numbers, drivers’ license information and more
  7. 7. Credit Cards in 2016  $16 billion in fraud and identity theft  15.4 million Americans  Card not present biggest form of fraud  40% increase from 2015  This gets around chip-embedded cards
  8. 8. Law Firm Breaches in 2016  American Bar Association Tech Report  Largest firms (500 or more attorneys)  Reported most security breaches  26% admitted breaches  Upward trend  37% downtime/loss of hours  28% expensive consulting fees  22% costs to replace hardware/software  14% loss of important files and information  15% of firms victim of breach  Almost 50% of firms no response plan
  9. 9. Rule 1.1: Competence  Attorneys must be aware of both “the benefits and risks associated with relevant technology”  1.1 Comment 8  Must take reasonable steps to mitigate risks  Refer cases out?  Responsible for making certain other lawyer is competent  Includes proper use of technology
  10. 10. Rule 1.15 Safekeeping  Focuses on finances  Implies other including documents  Mentioned in comment 9 to Rule 1.18, “[f]or a lawyer's duties when a prospective client entrusts valuables or papers to the lawyer's care, see Rule 1.15.”
  11. 11. Rule 1.4 Communications  Use method as secure are necessary for the level of the data  Standard is what is reasonable under the circumstances  Encrypt email?  Consider using a password for documents
  12. 12. Rule1.6: Confidentiality of Information  Lawyers “shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”  Duty survives termination of representation  Must protect data from first moment to last  Rules vary on how long you must keep files  Minimum 5 years in Pennsylvania  Practice area impacts retention requirements  PBA Ethics Opinion 2007-100, Client Files – Rights of Access, Possession and Copying, Along with Retention Considerations  Potential clients’ data must be protected  Rule 1.18
  13. 13. Safe Harbor: Rule 1.6, Comment 25  Will not be found in violation “if the lawyer has made reasonable efforts to prevent the access or disclosure”  Reasonable depends on factors: 1. Sensitivity of information 2. Likelihood of disclosure if additional safeguards not employed 3. Cost of employing additional safeguards 4. Difficulty implementing safeguards 5. Extent safeguards adversely impact lawyer’s ability to represent clients
  14. 14. Rules 5.2 & 5.3: Supervise Staff & Third Parties  Partners and senior lawyers are responsible for the conduct of those who work under them.  All lawyers are responsible for supervising staff and third parties.  Critical to educate non-lawyers about attorney ethics obligation and relevant laws.  May not allow others to do what you cannot do
  15. 15. Pennsylvania Law  Breach of Personal Information Notification Act  Shall provide notice of any breach following discovery of the breach  For unencrypted or un-redacted personal information that was or is reasonably believed to have been accessed or acquired by an unauthorized person  Without unreasonable delay  Encrypted data must report only if key also available  Over 1,000 people must notify consumer reporting agencies  Attorney General has exclusive authority to bring actions  No successful lawsuits in Pennsylvania yet
  16. 16. Other States or Countries  Must make certain to follow the laws of any states or countries in which you have clients and/or obtain data  Store data in another country?  Might be required to meet their data requirements
  17. 17. Public Relations  Breaches cause public relations nightmares  Many businesses are questioning firms on their security  Especially larger firms  Clients are becoming more aware of the risks and expect proper security  Numerous stories involving large companies, and large firms
  18. 18. Keeping Data Secure
  19. 19. Audit Your Firm  Size and budget will dictate your approach – must be familiar with ethics rules and HIPAA  Privacy and security company  Experience auditing business of similar size and complexity  Mid-Sized IT company  Small IT company
  20. 20. Every Aspect Must be Audited  The most likely spot of attack is the weakest one  Working from home  Mobile devices and access  Bad disposal methods  Both paper and electronic data  Including old phones and hard drives  Don’t forget copiers with memory  Passwords  Phishing
  21. 21. Review the Results - Respond  Technology improvements  Destruction methods and follow through  Security issues  Training  Written policies  Response plan
  22. 22. Common Technology Improvements  Old technology is not secure  Plan to replace computers every 3-5 years  Mobile devices running old operating systems  Out-of-date server  Email  No free Gmail, Hotmail, AOL, Yahoo!, etc.  Use Exchange Server, Office 365, Google Business
  23. 23. Common Technology Improvements  Proper and secure backup  Passwords  Mobile use  Work from home  Encryption  Document sharing  Firewalls
  24. 24. Email  Make clear email is not secure  Address in engagement agreement as appropriate  Provide client with options  Add additional encryption if appropriate  ZixCorp  PGP  VeraCrypt  AxCrypt
  25. 25. Cloud Computing  Choose provider carefully  Location  History  Ability to remove content  Security  Encrypted?  Zero Knowledge password?  Too easy to share?
  26. 26. What is the Cloud? • Upload your data to server (computer) through the Internet. • Server normally owned by 3rd party. • Access your data from any internet enabled device. • Sometimes all data is stored on server • Sometimes data is stored locally and on server
  27. 27. Examples  SpiderOak  Zero Knowledge  Extremely secure  Learning curve  DropBox  Add additional encryption  Vivio
  28. 28. Encryption  Many phones provide an encryption option  Programs available for encrypting USB and hard drives  BitLocker  VeraCrypt  Other options
  29. 29. Choosing Passwords  Choose complex passwords  https://identitysafe.norton.com/password-generator/  At least 14 characters, preferably more  Mix upper, lowercase, numbers, and if allowed, special characters  Change high risk passwords every 3-6 months  Use a tool such as LastPass to remember passwords  That way you only have to remember one  Make it extremely secure  Do not repeat passwords
  30. 30. Turn On Two-Factor Authentication  Uses two steps to protect accounts  When you forget a password  When you try to use a new device  Sends a code to your cell phone  Enter the code on the device you are trying to use the account on
  31. 31. Wi-Fi  Secure your home wi-fi  https://www.pcmag.com/article2/0,2817,2409751,00.asp  Don’t use free wi-fi  Don’t use hotel wi-fi  Get a hot spot  Often $20 per month  Can get pay as you go
  32. 32. Physical Improvements  Security system  Office  Home  Wireless system  $200-300 basic system  SimpliSafe  Fortress Security Store  Safe environment for paper  Shredding and destruction  Paper  Hard drives
  33. 33. Training  Phishing  Social engineering  Password use  Document destruction  Sharing technology  Mobile devices  General technology use FTC Examples
  34. 34. Plan for Employee Departure  Create process for when employees leave  Remove email  Remove network access  Lock out virtual connections  Be aware of cloud access  Get back laptops, phones, etc  For attorney employees, be aware of obligations to inform clients about departures
  35. 35. Written Policies  Create written technology policy  Include mobile use  Require app provides ability to track and wipe  iOS – find my phone  Android – numerous options  Lookout  Google free  Malware scanning  Review sharing when install apps  No work on personal email accounts  No sharing devices
  36. 36. Rapid Response Plan  Who starts the process  Who is involved at each step of the way?  Identify problem  Lock it down  Review the damage – Repair the damage  Notification required?
  37. 37. Example - Phone  Lost or stolen cell phone  Require immediate notification to firm  Identify security  Did it have password?  Was it encrypted?  Can you find it?  Tracking  Can you get it back?  If not, can you wipe it?  What was on it?  Was it accessible?  How long was it gone?  What was the damage to data?  Potential  Actual  Is notification required?
  38. 38. Example USB Key  What was on it?  Where was it lost?  Was it encrypted?  Was the encryption key accessible?
  39. 39. Plan for PR  Large data breach?  Retain PR company and draft a statement  Move rapidly  Be ready to communicate with the legal press  Understand the ramifications  Clients will become concerned about their own security
  40. 40. Purchase Cyber Insurance  Most insurance plans do not include data breach or cybersecurity  Cost to even a small firm to repair a breach averages $40,000  Consider  Down time  Lost clients  Cost to notify  Potential fines
  41. 41. Security Tips for You and Your Clients
  42. 42. Protecting Yourself  Sign up for insurance  Check your homeowners policy  Get copies of your credit reports frequently  Should come with insurance  AnnualCreditReport.com  Each agency must give one every 12 months for free  Do not sign up for “free” companies that are not well known
  43. 43. Credit Freeze  Credit Freeze (security freeze)  Prevents opening new accounts  Will not protect already open accounts  Have to call each agency  There may be a fee of between $5 and $10  Equifax: 1-800-349-9960  Experian: 1-888-397-3742  Transunion: 1-888-909-8872
  44. 44. Fraud Alert  Fraud Alert  Concerned you may become a victim  Prevents unverified access for 90 days  Extended Fraud Alert  Already a victim of identity theft  Seven years  Contact one of the companies listed previously  That company will inform the others  No fee
  45. 45. Phone Scams are Common
  46. 46. Homeland Security Scam  Claim to be from Department of Homeland Security – Immigration  Called ID shows 800-323-8603  Hotline number  Never used for outgoing calls  Demands person prove who they are  Sometimes tells person they are a victim of identity theft
  47. 47. FBI  Claim to be from FBI  Claim they are investigating person  Demand money or will be arrested  Spoofs local FBI phone number  FBI does not call to demand money or threaten arrests  Get information about local offices  https://www.fbi.gov/contact-us/field-offices
  48. 48. Can You Hear Me?  Voice asks “Can you hear me?”  You respond yes.  They record the yes and use it as a voice signature to approve various things.  Just hang up if they call  If you already said yes, check your bank and credit card statements for unauthorized charges
  49. 49. Fake Bank Numbers  Text you claiming that your bank is concerned about a charge  Provides a number for you to call  You call the number, they ask for information  They use that information to steal from your bank account  Always make sure you call the bank directly
  50. 50. Computer Support  Claim to be from Microsoft or Apple  Ask for information to log in to accounts  Ask to be able to take control over your computer  Ask for money to pay for services they claim they performed
  51. 51. Types of Specialized Fraud
  52. 52. Arrest Fraud  Someone uses your name and information when arrested  You end up with a warrant  You get pulled over  You get arrested  Requires a lawyer’s assistance
  53. 53. Child ID Theft  Begins with child’s social security number  Create entirely new identity on child  Government benefits  Bank accounts  Credit card accounts  Often not known until child is an adult  Check your child’s credit too
  54. 54. Tax ID Theft  Use your Social Security number to file fake tax return  Unknown to you until you try to file your own  Or you receive a warning letter from IRS  If occurs  File a complaint at identitytheft.gov  Contact one credit bureau and set fraud alert  Contact all financial accounts  Close and create new ones  Complete IRS form 14039 – Identity theft affidavit
  55. 55. Medical ID Theft  Steal personal information to  Obtain medical care  Buy drugs  Submit fake bills to Medicare  Solution, contact:  Department of Health & Human Services – Inspector General  Medicare Call Center  Federal Trade Commission
  56. 56. Social ID Theft  Someone creates an online social media presence using your information  Often uses such information to fool people into giving them money  Commonly used in romance scams  Periodically search your name and photos online  Watch out for warnings from friends
  57. 57. Additional Tips
  58. 58. Additional Issues to Consider  Use firewalls  Do not use computers you don’t know  Closely watch banks and credit cards  Don’t carry Social Security card  Don’t let mail pile up  Put it on hold if going away  If bills seem late or don’t arrive, call the company
  59. 59. Find Slides at jlellis.net/blog/pbi-real-estate JENNIFER ELLIS | JENNIFER ELLIS, JD, LLC| JENNIFER@JLELLIS.NET COPYRIGHT JENNIFER ELLIS, 2017. ALL RIGHTS RESERVED

×